firewall context

suthomas1 · ‎01-25-2010

Folks,

trying to set up security context for one of our remote clients. they have an ASA 5540 and want to use it for seperating their own & their subsidaries traffic flow. Would each of these contexts have their own seperate interface details? Will the main context ( system context, as i know) be the one with main config?Can the system context have main configs or does the configs have to be on the other contexts.

If the main context is to have the internet link connected, and the other contexts were to use this link , will the other contexts need seperate public ip's on their own interface for internet to work or will they be using main context.

Pls help me with sample config & how to start.

Thanks.

Panos Kampanakis · ‎01-31-2010

You need to allocate the interface to all the contexts. And then in each context configure the interface separately.

You are sharing the outside vlan but each context configures it separately.

I hope it helps.

PK

Kureli Sankar · ‎01-31-2010

system context - place holder for all system and other context configuration - allocating interfaces

individual context - virtual firewall - need to configure them just like you configure a firewall

Outside interface - if the outside vlan will be allocated to all contexts then, yes each context's outside interface should have a separate IP address.

Refer this link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml

-KS

suthomas1 · ‎02-04-2010

Thanks.Something which is confusing me. I plan to put in 4 contexts ( excluding admin). Is admin context required to be configured with ip address and things & whether i can rename it to be used a different context?

Second, this firewall is planned to get connected with a upstream router(most probably with a layer2 device in between). Now this router interface will have vlans ( 4 vlans) on it to cater to all 4 contexts. Is this correct and does this mean the outside interface is generally shared?

If not, please suggest a way out to understand the interfacing of upstream router & physical firewall.

Thanks in advance.

PS: different query related to context was cleared by another gentleman in different post, but out of nowhere i got this nagging doubt.h

Kureli Sankar · ‎02-04-2010

You can designate any context as the admin context wtih the "admin-context" command.

Admin context is there so, you can ssh or telnet to it and chang to any context and be able to manage it.

If you connect to any other context tha is not admin then you can hop around to other contexts from there.

The outside interface on all 4 contexts DOES NOT have to be shared.

If all the contexts will be internet facing then yes, all contexts will be sharing the outside interface.

-KS

suthomas1 · ‎02-05-2010

Is it possible for two applications sitting on different contexts to communicate with each other.

Thanks!

Jon Marshall · ‎02-05-2010

suthomas1 wrote:

Is it possible for two applications sitting on different contexts to communicate with each other.

Thanks!

Yes it is. You can do this one of 2 ways -

1) sharing an interface between the 2 contexts

2) routing the traffic out of one context and back into the other context just as you would with totally separate firewalls

Jon

francisco_1 · ‎02-05-2010

suthomas,

Most of what i have commented below has been answered but thought it will be help to give you quick Architectural overview of the context on ASA.

System Context
==============
Unlike other contexts, the system execution space does not have any Layer 2 or Layer 3 interfaces or any network settings. Rather, it is mainly used to define the attributes of other security context attributes. Here are the three important attributes configured for each context in the system execution space:

1, Location of context's startup configuration. The configuration of each context is also known as a configlet.
2, Interface allocation.
3, Additionally, many optional features, such as interface and boot parameters, can be configured within the system execution space.

Admin Context
==============
Also the admin context provides connectivity to network resources, as mentioned earlier. The IP addresses on the allocated interfaces can be used for remote management purposes, such as SSH or Telnet. The security appliance also uses the IP addresses to retrieve configurations for other contexts if they are located on a network share. A system administrator with access to the admin context can switch into the other contexts to manage them.

The security appliance uses the admin context to send the syslog messages that relate to the system.

The admin context configuration is similar to a customer context. Aside from its relationship to the system execution space, it can be used as a regular context. However, using it as a regular context is not recommended, because of its significance.

As mentioned above you can change the name of admin context BUT Changing the name of the admin context from admin is not recommended.

Pakcet Forwarding between Context
====================================

In multiple mode, the two contexts communicate with each other as if two standalone appliances were communicating with one another. The security contexts can talk to each other in two ways:

Without a shared interface
With a shared interface
Depending on what mode you use, the packet flow is different